Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Easy way to convert bits into bytes and kb

jalfrey
Communicator
‎06-24-2013 04:26 PM

one of the values in my log is sent and received I believe it's bytes. I would like to display those as Kb and Mb. Using commas would also be great. Is there any easy way to tell splunk to do this?

here is my sample log:

Jun 24 16:22:55 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 16:22:55" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3641361 usr="admin" src=10.103.62.80:32826:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=716 rcvd=472

near the end you see: sent=716 and rcvd=472. I would like to display those like

Sent: 716 bytes
Received: 472 bytes
If they were larger like this log

Jun 24 16:22:53 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 16:22:53" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3641359 usr="admin" src=10.103.62.80:32825:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=791 rcvd=3742

then it would be:
sent: 791 bytes
received: 3.6 Kb

Tags (2)
Reply

ddrillic
Ultra Champion
‎03-28-2016 11:30 AM

I would use something like - eval bytes = round(bytes/1024/1024,2) | rename bytes as "total(MB)". For something like this, we can use a search macro - http://docs.splunk.com/Documentation/Splunk/6.0.4/Search/Usesearchmacros.

0 Karma
Reply

northben
Explorer
‎03-28-2016 06:57 AM

I wrote a Splunk app, "Humanize", to help with this situation: https://splunkbase.splunk.com/app/3104/

My app will convert a number in bytes to a human-friendly representation - KB, MB, GB, etc.

Please let me know if you have any feedback so I can improve the app!

0 Karma
Reply

kenoski
Path Finder
‎03-28-2016 10:10 AM

Your App is not visible in Splunkbase.

0 Karma
Reply

northben
Explorer
‎03-28-2016 09:51 PM

Ahh, thanks for letting me know. I emailed support and they just released it.

0 Karma
Reply

adrianathome
Communicator
‎06-24-2013 05:36 PM

One way to do it is with the eval command.

...|eval kb_rcvd=(rcvd/1024)

However, this would not scale with MB, etc. If the values are usally in the bytes/KB it might be worth a shot.

0 Karma
Reply

asimagu
Builder
‎06-24-2013 05:33 PM

in order to have commas:

fieldformat AVG=tostring(AVG,"commas")

in order to be showing Kb or bytes or any other you will need to play with eval and case to have your condition sentences. It all should work nice and pretty

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top